Blog‎ > ‎

Topic mega dump 2014 (3 of 3)

posted Mar 2, 2015, 7:50 AM by Sami Lehtinen   [ updated Mar 2, 2015, 7:54 AM ]
  • Backblaze Hard Drive Reliability Update
  • One investment company didn't use HTTPS for their customer pages in 2014. That's incredible. Also many forms were server using HTTP only and then results were submitted over HTTPS. When I complained they said it's ok, because information is submitted over HTTPS. But no user knows or notices if someone edits the page and removes the HTTPS. As well you don't really know where the data is being submitted without checking the source. As well as MitM attack would allow modifying the form sent over HTTP easily and choosing free content for questions as well as the destination for form content.
  • Read TorCoin plan.
  • Read good long post about Amazon's Elasticsearch. - Unfortunately I don't have real use cases for such system right now. As well as I consider many Amazon services to be actually quite expensive compared to competition.
  • Had a discussion how to learn stuff. My view: "I think it would be better to learn the same skills on something concrete. amd being productive while learning, and not spending resources only on learning. That's one of the reasons, why I now study programming by deciding a project which requires a certain skill set and level. Then I proceed building it to at least on alpha or MVP level. Which allows me to create something useful as well as learning the required skills. Yes, this takes more effort than only 'skimming' a book on some specific topic, but then I know bit deeper the topic and hopefully generated something useful something while learning."
  • Something different: Semi-automatic transmission, Canard, Tricycle landing gear, Free piston engine, Wave disk engine - Free piston egine can be used as linear generator. In such engine there would be only moving valves and piston. No crankshaft or physical output axel. - Iron Dome, Skyshield, Depleted uranium, Quad TiltRotor, Supervolcano, MANTIS, AMOS, CV90, Rutherford, V-3 cannon, Psychological Warfare, Ballista, Catapult, Trebuchet, Hall effect thruster, VASIMR, Inertial Navigation System, Anti-aircraft warfare,
  • Also reminded myself about: Counterintelligence, Countersurveillance, Computer forensics, Forensics data analysis, Distraction, Cover-up, Disinformation.
  • Did a few short tests using Google Cloud Messaging and my phone. I had one specific project on my mind, and I found out that the delivery latency as well as latency jitter were totally unsuitable for the purpose of the potential requirements of the project. But in general I really like concept of one messaging solution which can be used to trigger events and so on, which naturally saves a lot of energy compared to running tons of different applications polling something constantly or even keeping idle tcp connections (with repeated ping/idle/alive messages) open. Consuming cpu, bandwidth, memory and battery resources.
  • Facebook data center concepts Wedge and FBOSS as well as disaggrecated network. - Kw: switch, configuration management, statistics packages, environmental handling, microserver, modular enclosure, control logic, switching module, Open Compute Project (OCP).
  • Reminded my self about Graph databases. - But the specification made me smile: "A graph database is any storage system that provides index-free adjacency." - Hmm? Index, that's though definition question. I would say it's "direct pointer" to data, that doesn't require index. But with current complex systems, that definition must be really lingering. Because any lookup table could be considered as index and therefore I believe that most of current systems simply can't provide index free solutions. There are so many layers of indexing already in existence on modern systems. But if we return to legacy systems, in ram graph database could be something where record A got direct pointers to other records with memory addresses where data is being stored. As example inodes in file systems. When making comparison to file systems, if the record contains filename that's a fail. Because looking up inode using filename requires using an index for lookup. Or if indexing isn't being used then it means going through a list of filenames in directory which is even worse. In a way I really like legacy programming and C. Because many high level systems diverge developers from what's really happening. Really simple naive legacy implementation is much cleaner. Dictionary, hashtable or what ever = index, fail, direct memory pointer or disk address doesn't require index. Except, that if data is being stored on SSD or any modern system, there are already multiple layers of lookup tables and indexes. And same applies to modern operating systems, paged memory and so on. Actually when these modern systems are used and you listen how high level developers describe those, it might sound like that they don't know computing at all. And they might not be able to describe on low level what's happening and how.
  • Read documentation about PostgreSQL / FreeBSD performance ans scalability on 40 core machine
  • Checked out Google Cloud Save, a cloud data storage for Android devices.
  • Google Cloud Platform - Cloud Endpoints. Just a additional layer making using App Engine with Android easier for developers.
  • Checked out Google Cloud Monitoring -  Would this be what's needed for future monitoring of cloud based services? Seems bit lighter solution than what I'm currently running. But I liked the way they provide ready installation using Puppet, Chef and Ansible.
  • Google Dataflow - This is something I could use for my ETL tasks if required. Most of those tasks are currently running locally with the primary application server. But if there's too much data to be processed by that server, relocating whole system in cloud should be future proof option. Provides data pipeline, data transformation layers. Which I've currently implemented in my own integration module. Yet I don't really like the fact it's Java only. I've written all of my latest code using Python 3 and left Java dusting where it should be.
  • Lightly checked out Google Polymer, Web Components Meteor, and Mozilla X-Tags - This is something I could love. Something which is quite simple to use and makes web UI and Application development much simpler. Current solutions with Angular and web server side stuff and tons of different JS frameworks combined for UI side make development quite complex mess. You'll have to know so many different technologies well as well as know exactly how those can be fitted together. On the other side, those high level frameworks could add considerable load on server as well as on client side. Just like the guys mentioned in Don't Use Angular post. - No link to single post because there are multiple good posts on this topic. If I would be JavaScript programmer I might like the concept of Meteor a lot.
    It's bit like the situation like the cross-platform mobile application development. Use something like Intel XDK and you'll get one slow bloated application which will perform poorly on all platforms.
    If you got interested also check out MEAN.
  • HTML Include - This is something I've been wanting to use from early 90's. iframe came, but it's not same as simple include. Of course there were solutions to make server side includes, and template engines do nested includes and stuff like that. But it's not the same as simple include on browser side. 
  • It seems that someone else came to exactly the same idea as I did. Why Brython isn't served by global CDN as well as why it's not using (even optional) HTTPS. Delivering a JavSscript library to whole world from one server at OVH, France isn't optimal solution. Lack of https and ipv6 is so great either. My personal suggestion for CDN would be using cdnjs.
  • Digital Panopticon - You're being watched. What will the future be like?
  • Most popular programming languages 2014. - Python is strong as well is Java, even if I don't love it anymore. - Java seems simple, but you'll end up generating a lot of bloat code, diminishing development joy and efficiency.
  • I finally figured out why some of the stuff I were battling with Peewee ORM and PostgreSQL and Python didn't work at all. Reason? It's very simple and quite a traditional trap with ORM and especially with dynamic programming languages and databases.
    Peewee ORM - Oh joy. It took me a while to figure out that Python's Peewee ORM handles default and None differently than Python usually does.
    Usually None != True and None != False are True, but in case of Peewee ORM, those won't be True. That's because None is only None, as example  None == None is True. Now it's finally clear. It also seems that even if there's default value defined for Model, those aren't used, in case reference Foreign Key is missing. So you'll need to write X == None or X == False, and only then that's about same as X != True, even if default value for X is False. This is especially important to remember when doing outer joins.
    Did I feel stupid after this? Yes I did. It's just like SELECT * FROM table WHERE data = 0 and then you'll finally figure out that it returns completely different number of records than SELECT * FROM table WHERE data = 0.0 isn't that fun? This is exactly why you should know your tools well or otherwise you'll end up with really nasty surprises. Even basic unit testing won't catch those unless you're specifically aknowledging that you should test for those cases. I assume that part of this problem is the fact that Peewee ORM doens't have exact NOT operator. ~ used by Peewee is about the same.
    Of course there are silly workarounds for the previous problem was that I could ask for count of matching records and if it's 0 then it's same as == None, but that's silly. As well as compiling sublist of potential join entires and then asking if key not in (sublist) which also excludes records which do not have references. Both of these solutions do work, but are quite non optimal. Isn't this just what normal programmers do? Now it works, fine, let's continue. Even if the solution is slow, crazy and doesn't make any sense.
  • Reminded my self about Enterprise Service Bus (ESB) stuff. I'm actually quite glad that many customers select simple, lightweight and more efficient integration methods. Some customers even clearly say that we have that ESB but well, let's just make this work and not use it. Smile. That fits quite well to my current view of avoiding bloat and overhead when it isn't absolutely required.
  • Tor exit node operator prosecuted in Austria. - This battle with Internet freedom and Surveillance will be long, we're living interesting times.
  • hubiC - Excellent European Cloud File Storage service with bit better pricing than what Box or Dropbox and many other alternatives provide. Data is also stored in three separate data centers for storage reliability and availability.
  • I thought that the email would be thing of past soon. But it doesn't seem to be that way. New email clients are popping all the time. Mailpile is one of those.
  • Python 3.4 asyncio with examples - A nice post about new features. This is also one of the reasons I'm not using the (whatever) pipe / queue solutions from (whatever) providers. When servers are clustered together with great interconnectivity, it's pointless to pass data via cloud adding bandwidth costs and latency. As well as because it's so simple using Python alone, I don't want to mess up my projects with additional and needless dependencies. Those should be brought in only if those offer some killer advantage over existing solution. Which they do not currently do. This is exactly the reason why most of my projects are also using SQLite3 and only some projects use PostgreSQL.
  • Whoa, Hotmail and Outook are finally supporting smtps (tls/ssl) smtp transport. - I wonder why it took so long.
  • Google Compute Engine is providing Persistent SSD Disk storage s well as global load balancing. - Which is nice.
  • Vultr seems like a good competitor for Digital Ocean. Based on quick tests they provide even better cost performance ration that digital ocean.
  • NSA targets privacy-conscious - Even more interesting development, maybe we do something to hide? But who's we? Maybe NSA will find out, maybe not.
  • I thought about messaging client which would use DHT for data storage. Everything in the DHT storage would be encrypted and all data would pass via DHT storage using pseudo-random data access patterns. In some cases even the encryption key itself could be used for covert messaging. The payload is basically meaningless, it's all about the key which could be used to decrypt it successfully.
  • PyCon 2014 - Multi-factor authentication, Postgres Performance for Humans
  • One guy said in one tech talk, that he's job is do all the tasks that the engineers can't get done. - Made me lol so much - I don't know why this sounds so familiar. - My work is to be kind of SWAT team or a special unit, when the other departments just can't handle it. - It's good and bad. Because you're going to get all the very problematic cases to solve. Which might require long monitoring, deep analysis, extensive logging and so on. (I'm actually right now working on one such complex case (Feb 2015). Issue has been analyzed for several months by others, but there aren't any real results. I guess I'll have to dig deeper than that.
  • Checked out Google Drive Pricing and compared it to hubiC - Yes there are price differences.
  • COMSEC - Communications Security
  • It's important to have certain arrangements made before hand, allowing maintaining capability to communicate securely even in time of real major crisis. Private out of band communications using multiple separate communication channels and without the need to relay existing networks like mobile phones or Internet connectivity. - It's also a good idea to have a few anonymous Internet connections, which are using 4G data.
  • I guess people with Comsec, Infosec, privacy, covert, communication, system administration and good general IT knowledge and skills can be dangerous.. If there is just a motivation for nefarious intent. But why bother if there's no good enough reason?
  • Cheap cloud services and optimized code could be easily used to generate such a flood of messages to Bitmessage system that it would overwhelm most of network peers. I don't know if proof of work is the right way to securing and limiting network resources in the future.
  • NSA classifies Linux Journal readers, Tor and Tails Linux users as "extremists" - Are Linux users really that dangerous?
  • Maintaining covert identities is hard, really hard. It doesn't require anything else than a simple habit based fail to ruin it all. It's something that needs to be practiced a lot to learn. If you just read about it and try it, you're going to fail, badly.
  • Actually I came up with this before the "Lorem Ipsum" stuff came out. My plan? Having a simple application which generates cipher text which is then translated to viable looking normal plain text, so it wouldn't trigger "encrypted communication" alarms. Program should have pluggable dictionaries and language modules so that it could be used with multiple languages. it's kind of steganography. First point of this whole thing is not to trigger any suspicion at all. See stegano.net
  • Turned NLA, TLS and 128 bit encryption on for all systems when using RDP. - For some strange reason this prevents Remmina from connecting. I guess it has to do something with the high cryptography requirement because Remmina does suppot TLS and NLA.
  • Are privacy enhancing tools pro or con? Maybe using some simple basics could keep you off the radar? Instead of using well known yet efficient tools which arise suspicion. I was thinking building really simple text steganography tool just for fun. Embedding messages in text using c&w method with compression encryption and ECB. Result is text which doesn't seem suspectable but still contains strongly secured message. Depending from fill in text of course statistical analysis would pretty easily reveal that something is going on. Of course these questions are related to any privacy tools. If you're trying to keep things private and secret, you must have something to hide right? Especially when privacy tools aren't so commonly used, so it really sticks out when someone is using high grade privacy tools.
  • Stego - Text Seganography tool.
  • *** different attacks and stuff like that... False Flag strikes? Who gets the blame game?
  • Subliminal channels - A way to pass communication over unencrypted links. Just like the time stamp modifications with PW.
  • Canary Trap - Creating different documents for different recipients to see which one leaked.
  • Charge Cycle - Battery tech, how many charge cycles can your batteries take?
  • KW: Edi envelop SOAP envelop and Finvoice envelop.
  • JSON Resume standard - Nice way for hackers to represent data in consistent way?
  • Tried Windows IP Ban service, but it didn't work out as well as it should. Didn't like it.
  • Xiki - Improved (Amazing?) shell - Had to play with it, but didn't see a need for it being used for daily operations.
  • Credit Card Skimming - List of different kind of modern (?) skimmers. It's so silly that the magstrip is still being used.
  • Parsing Accept-Language header using Python. I didn't use that one, I wrote my own version. It takes the list, sorts it by preference and then finds first match in my available languages list.
  • Python 2.x vs 3.x survey results
  • It's known that comparing cloud service pricing is really hard. Sometimes nearly impossible. Some providers give lower price and yet provide 10x the performance. It's interesting to notice how bad performance AWS is actually providing. If you compare AWS prices to Hetzner prices the difference is mind blowing. 
  • It's just horrible how many people won't take proper care of their PGP/GPG keys, when hard drive crashes then they just generate new keys and assume that everyone should trust those right away. Sounds like a really bad practice.
  • Hacking Government Surveillance Malware - Totally awesome story including technical details!
  • Storing personal names - First name last name, a good idea? Well, it isn't. That's why I'm using only single unicode field for name.
  • SSL CA information shuoldn't be trusted - No news here
  • Reminded my self about Kaizen - That's something what everyone should follow automatically.
  • Kaikaku - Disruptive innovation and change / pivot
  • XG-Fast - 10 Gigabit links over copper. But as logical drawback distances are getting quite small.
  • KW: Enterprise Resource Management (ERM)
  • Open Data - Simply put "Personal data should belong to the people" if I store my data to some service, why I can't download it all easily?
  • Python is now most popular programming language in Top Universities
  • Yet another file storage service. Amazon WorkDocs.
  • PyCon Taiwan @ YouTube
  • Amazon Cognito - Similar service compared to Google Save. Easily store application data for users in the cloud.
  • There is a clear bug in Deluge Bittorrent client, per file connection limit doesn't work properly.
  • OSPFv3 vs OSPFv2 What is different? - Really nice post, I haven't yet used OSPFv3 but reading this was good intro, it's important to know that there are new LSA types and possibility for multiple instances over same link.
  • SQLite: Small. Fast. Reliable. Choose any three - Excellent post about SQLite3
  • Google Noto fonts for all languages.
  • Studying lossy image compression efficiency - One of my favorite topics. It remains to be seen if JPEG finally get's some viable alternative. I've also read about JPEG patent fights, some OpenSource projects are worried about JPG patents. Well, I don't miss JPEG and there are already better options like WebP and BPG, which just haven't received wide adoption unfortunately. Here's excellent image compression comparison site.
  • Is your application ready to handle CJK chars? Should be if it's UTF-8 compatible and uses right fonts, but there might be some traps. Like string length limits and so on.
  • We also see in Finland Mojibake often, because some systems print UTF-8 ÖÄÅöäå chars as ASCII leading to interesting results. Anyway post offices are really good deciphering those.
  • Shift JIS - Luckily we're not using anything like in that in Finland. But this actually reminds me from times when I wrote Code-128 barcode encoder. Code-39 and 128 which both allow (and require for efficiency) shifting between different encoding modes called A,B and C. Basically it included shift one letter for capital letters and then caps lock mode which permanently switches to another mode until told otherwise. Modes include lower case, uppercase and double digit mode for compression, which allows encoding two number per one barcode font symbol.
  • Unihan Han Unification - Way to get bit different Asian symbols to use same font and visual representation instead of having different symbols for each.
  • Bit faster SSD from Fusion I/O ioDrive Octal drives - Made me smile. Yet I don't have any use for such high end stuff.
  • iosnoop - Excellent tool for snooping disk I/O latencies per process. I've been using this with some servers when ever I suspect I/O related issues. Especially when using VPS servers disk I/O can really tank from the level you'll expect it to be.
  • Got a bunch of GTIN codes for one project.
  • Everyone is using ISBN-13 nowadays, but it wasn't like that always. I had to write EAN-13 to ISBN and back encoder/decoders back in days.
  • How to be happy - I hope you're already happy, so you don't need to read this.
  • I'm very used to databases which provide full MVCC / Snapshot isolation. It was very good that I always want to test all critical sections separately. I found out that some older and simpler databases require additional lock table statements to lock tables. Without those simply starting and transaction doesn't provide any protection from other committing transactions. So database doesn't provide read repeatability, without additional locking.
    Actually read repeatability is not yet even same as snapshot isolation. Because it only locks rows that you have read so far. So if your transaction consists multiple separate reads, it's possible that those reads do not give you uniform image of the database, when the transaction started.
  • Canvas Fingerprinting - Almost impossible to stop network tracking. Yes it is possible to block it, don't run the scripts in the first place.
  • Terminal - Yet another Linux virtualization management tool
  • Reminded my self about protobuf even if I don't have use cases for it. As well as checked out Transit which can encode/decode MessagePack or JSON formats. World is so full of these 'solutions'.
  • Why blurring sensitive information is a bad idea. - This should be also quite obvious to everyone.
  • StartUp mistakes you shouldn't ever make.
  • hubiC fixed their upload speeds finally. I've been avoiding using hubic.com because upload speeds have been so lousy, less than 1Mbit/s, but now I'm uploading at 100Mbit/s which is good enough. 
  • Ekahau Spectrum Analyzer - Yes, it's just as cool as it sounds like. And does the job. Most of guides how to avoid WLAN / WiFi congestion and interference are quite bad, because most people don't realize there are many other sources than WLAN networks. As well as one heavily used network can be much worse than 10 lightly used ones. Or there might be a reason why there aren't WLAN devices on channels which are used by wireless video surveillance system and so on.
  • One project was designed to use WebServices a long time ago. But back then it was concluded it's so hard and nearly impossible. What then resulted was that the project did silly things. It dumped changed to be replicated to other databases into one table. Then this one table was dumped as XML files on disk. Then one client compressed these XML files to create a ZIP file. Then there was a client which polled bidirectionally for these ZIP files and transferred those over encrypted (of course DIY encryption and implementation) TCP connection. And the other end basically everything happened in reverse. When you think about this complex chain and bit bad code which doesn't lock files properly, doesn't check file integrity and randomly fails, you got excellent and reliable data transfer solution. Ehh, let's say NOT. All this because directly transferring data would have been 'too complex and unreliable'. Just managed to add 10x overhead and even more unreliability. But we all know this is business as usual and there's new about this kind of stuff happening over and over again.
  • Planned Obsolescence - Great for consumerism, but bad for environment. It's also a good policy for software business. It could be hard to charge high maintenance fees, unless customers need that maintenance is needed. If everything would work without continuous manual fixing, customers might feel that it doesn't just make sense to pay maintenance fees.
  • Finished watching lecture series Thinking Like an Economist (TTC).
  • Reminded my self about Markov chains. Finite-state machine is also closely related. - Some times some programs just seem to feel more like Infinite-state machines, wait what? That's because there's nearly infinite number of different ways to fail.
  • One integrator got lamest debugging tools I've so far seen. They used program to dump communications in hex, but then. No, no automatic extraction / analysis. They had printed papers with packet formats and then he used manual calculator to convert between hex, dec and bin. Debugging took long and their team seemed frustrated and it took long. No, I don't have anything else to say about this but I was bit aghast. As you can see, there are different levels, something seems just bad and then some cases are actually insanely bad. 
  • Decentralization I want to believe - It has been seen over and over again, that people don't want and don't care about decentralized systems. Major problem is that decentralized systems are basically mobile hostile. Some companies have used these solutions to limit burden on their servers, pushing to burden to clients, which are then unhappy about it. Clients can consume a lot of cpu time, memory, disk space, disk access, cause lot of network traffic, be potentially used to generate DDoS attacks, or malicious traffic etc. All are great reasons why not to use decentralized solutions. People also seem to totally forget that things like email are already decentralized!
    Zero Configuration is also basically impossible because you have to bootstrap the network some how. Fully decentralised solutions still require bootstrap information. Which is unfortunately hats enough for many and therefore works add efficient show stopper.
    Last nail to the coffin is that most people really do not care about security at all. User base is after all just a small bunch of delusional geeks.
    Otherwise if people would really prefer decentralization and secure communication, something like RetroShare and Bitmessage would be widely used.
  • Telehash - Yet another decentralization protocol 
  • Tor Traffic Confirmation Attack - Carefully studied the article
  • Remy - Even more TCP congestion control, except this one is so complex it's not actually viable. But it's interesting to see that really complex computer generated rules can out perform simpler solutions.
  • Read about QUIC. But no time for this kind of stuff. Hopefully it will be out in future.
  • Internet censorship is progressing, Russia passed new laws. No link, you'll find it if you're interested.
  • Some D-Link firewalls forward WAN UDP DNS queries to ISP. Really nice, works well for DNS DDoS amplification attacks even with spoofed addresses. No wonder some ISPs have been complaining about this. Devices are really easy to exploit.
  • IBM is building Brain like CPU's with 4096 cores.
  • IBM Research Report - Comparison of Virtual machines and Linux Containers (Native, LXC, Docker, KVM) - Yeah, virtualization is expensive. Yet another reason NOT to run "cloud" at all, if it's not required. It's better to run full servers with your software and proper automation and configuration management. Adding virtualization to this mess just lowers performance and adds costs.
  • Windows 8.1 tablets with InstantGo are really annoying if you're trying to save power. Sleep and Hibernation do have real role even with tablets.
  • What happens if you write TCP stack in Python - Nothing to add, except it seems that he wasn't quite up to the task.
  • How to validate your business idea by testing
  • Is there anonymous call forwarding service, which could use prepaid from multiple operators? You (A) call number B (forwarding serivce) and call id forwarded vial C (outbound forwarding service) and finally to D (final destination). This would make tracing calls much harder. Especially because you can swtich A-B and C-D independently. But because this is near real-time forwarding this would have similar traffic confirmation characteristics to VPN provider or Tor relay. Even if you can't directly link A-B call to C-D call, you can do it via statistical analysis of calls and timestamps.
  • Tor relay proxy with intentional latency? Would this be a good idea? At least it could be used with Tor SMTP, store and forward service which on purpose adds delay to skew statistical traffic confirmation analysis as well as it could alter the message size (expand it) or by dropping extra padding.
  • How hackers hid a botnet in Amazon - Well, if there's free resources, even little resources, which can be automatically harvested. It creates great potential for abuse, that should be pretty clear. 
  • Watched two documentaries, one about Israeli Intelligence services and another about Ukraina and Syria.
  • In one security audiot for someone: 1/4 (25%) of database servers facing the Internet used default login & password. Was direct database access blocked by firewall? Of course the answer is no.
  • Studied Netvisor Web Service REST API for system integration.
  • OFF System (OFFSystem) - Anonymous P2P - Storing only non copyrightable data - I actually studied this years ago. I just forgot to write about it. Questions related to it raise interesting questions especially if I XOR two movies together and release the diff, what I'm exactly releasing? This blog post actually contains several high security EC keys. What? Yeah, you'll just have to XOR this with 'random set of bits' Lol.
  • Microsoft is going to give data to US agencies, even if users are foreign and data is not stored in US. So if you think using MS European data center(s) provides privacy, you got it wrong. This is going to set lines how much US Cloud Service companies can be trusted in future. Trust is already very weak.
    It's quite likely that same unfortunate rules apply to Google, Yahoo, Twitter and Facebook as well. Great question is, if it's enough that the company hosting the servers is American? If there's small European business, using Amazon Servers in Europe, is it still all your data belongs to US fair game?
    It became evident from news that Google scans emails and attachments really carefully and reports to authorities. Can that also be extended to other programs? Technically, sure. Wouldn't it be great if the operating system, anti-virus tools, NAS devices, etc, would directly report pirated content to RIAA, they would save them a lot of trouble. 
  • About some of Tor node busts - So many fails. First they failed to use Whonix or similar separation which forces all traffic to go only through tor. Secondly you shouldn't ever mess with, normal (daily use), secure (secret / confidential), and anonymous (no identifying information what so ever) systems. All of those should be completely separate, as deep as hardware level, preferably with individual Internet connections. For secure systems it's good idea to use separation with extremely limited connectivity (rs-serial cable in my case), it's enough to pass ASCII armored pgp messages. AS well for anonymous systems you'll use prepaid data with burner phone and also replace hardware from time to time. You'll also boot the system from read only media, so when ever you'll reset it, it'll be clean again. But if you're lazy and don't care, it's easy to fail. If you use your normal system for all three settings, the results will probably be pretty bad. Also always check signatures, without signature(s) checking it's trivial to give you version which contains well, what ever. 
  • Google play gives really bad UX when some updates keep getting installed automatically even if you try to uninstall and disable those apps. 
  • Quickly checked out Azure DocumentDB
  • Technology 2014 Hyper Cycle Map
  • Sonera (Finnish telco) failed basic access control when providing free benefits. They sent text message (without any code) that using this text message you'll get 10€ benefit. Great, but they didn't include any code on the message which would the same code to be spent multiple times. 
  • Cloudflare now supports WebSockets - Yay!
  • Offline first is the new mobile first? - This is good and bad development. Some offline first sites are actually quite ok to use after inital loading, but using such technology could make the initial load ridiculously slow for visitors who aren't using the site daily. Been there and seen that happening. 
  • Optional static typing for Python? - Is it worth of the speed benefit? I guess it is in some cases, because benefits can be drastic where it matters.
  • I thought I would write more about DNS-based Authentication of Name Entities (DANE) - It seems that not everyone is happy with DANE. Anyway, I have a good friend who's able to do DANE stuff, if you need such services let me know. Yes I did read the RFC6698.  
  • Something different: Active Protection System [1, 2], Optimal Control, Sliding Mode Control, VA-111 Shkval (Supercavitating torpedo), Chemically strengthened glass
  • I thought I would write more about LclBd scoring logig, but there's nothing to add. It factors in location, time, and tags and users weighted by Naive Bayesian implementation. Based on that it picks latest local news for you which you're probably interested about due to tags used in the post or because you've previously like the posts from the poster. Also negative weights are available so you can dislike stuff, that's something what Google+ and Facebook and Twitter won't allow you to do. And I don't like it. I want to be able not to like things. ;) Actually current deployed version got so bad usability issues that those cast serious shadow over any usability. Maybe I got right mood to fix those some day when it's raining and dark. Is it worth of it? Well, most probably it isn't. It's just some hobby tinkering.
  • Cell phone guide for US protesters updated 2014 edition - It's all there, how to use your mobile phone. 
  • It seems that Skype dropped support for old non cloud based clients and is now forcing everyone to use their cloud storage and relay services. They also forced Ubuntu & Linux users to Skype update.
  • Submarine Cable Map - A great resource if you want to know where Internet is flowing under the sea. 
  • Intel Released first 8 core desktop CPU with 16 threads and DDR4 in i7 series. 
  • What are UTM tracking codes
  • Seamless WiFi roaming - Nice! You can configure many of the end devices to scan more often to roam, of course this doesn't make roaming seamless but it's good enough. I'm actually curious if this seamless roaming is actually seamless. It could be, but I don't see any proof there except they're claiming it to be genuine seamless roaming which would be pretty cool. Genuine Seamless roaming would mean that there won't be any kind of hick-up when switching base stations. User wouldn't notice anything at all. Most often that's not required, but can be beneficial if it's available. 
  • The Skyline Problem - Yet another seemingly very simple programming challenge to tackle.
  • Mobile Privacy: Use only clean prepaid phones, do not call outside the closed circle of those clean unidentified phones. It would be interesting to analyze such data, and correlate it with other calls and phones happening in parallel. I guess even in this kind of situation you could detect users which are carrying those anonymous phones with them and another identified phones and where they're relaying the information if using alternate phone. So even this isolation trick won't provide you real privacy.
  • Similarly many people seem to think that SSL would provide security. But no it doesn't. It only encrypts message content, it doesn't hide communication patterns. So when you open a web page and it's resources are downloaded all of those downloads can be monitored. When you then compare those to different possibilities available it's well possible to know exactly what page you opened. Even if the encryption wasn't broken. 
  • Higher level dynamic programming, generic specific code, which prevents reuse of code, Non-uniform Memory Access (NUMA), multiprocessing, multithreading, shared nothing and so on. - I was supposed to write about this, but no can do right now. 
  • Absolutely great post: Visualizing Garbage Collection Algorithms - You just gotta check it out. 
  • I've been writing a lot of stuff using MarkDown (MD) lately. See CommonMark
  • BankAPI - A secure solution specification for delivering messages between banks and other type of financial institutions. 
  • I would love to write about early days of Internet, when I used Windows 3.11 and Trumpet Winsock and stuff like: Slirp, Slip, PPP, packet traces, tcp flags, tcp window, rst, ack, syn, and other stuff I learned already back then. I miss my 14.k modem, no not really. 
  • Samsung Galaxy email app gets ridiculously slow at times. Deleting cache helps. Bad code doesn't show up, until it does.  
  • Actually I don't know why but running par2 on my computer for some reason makes it incredibly slow even if there seems to be no reason for that? Maybe it's memory contention? But afaik that should show up as CPU time, maybe it just doesn't with my current platform. 
  • Boxcryptor pre-crypt data before transferring it to cloud - Now, I've just used 7-zip and GnuPG for this very successfully earlier without any problems. 
  • Studied Universal Description, Discovery and Integration (UDDI) - No I'm not currently using it nor I see it needed in future either. 
  • Sovereign @ Github - Tested it and I can't say it better than they do: "A set of Ansible playbooks to build and maintain your own private cloud: email, calendar, contacts, file sync, IRC bouncer, VPN, and more." 
  • Mail-in-a-Box - Yet another alternative if you don't mind configuring everything by your self (as I did). 
  • My generic guide lines for my own code:  Reusable, simple, use pre-existing, Keep It Simple Stupid (KISS), only make optimizations when actually required. Aka focus on what really matters. Keep project profitable and relatively cheap. - I know a couple of guys who can spend months optimizing code that gets run monthly and takes 5 minutes to run. Is that wise? 
  • Studied BtrFS wiki - It seems that I just like reading it over and over again.
    WPS Wi-Fi router security in some cases ridiculously bad.  Ok, WPS security is always bad, don't use it. This is nothing new. Whole protocol has been broken all the time since it's very beginning. 
  • I'm not providing you enough interesting links? Ok, you asked for it. here's a great list of Recommended Reading - complied by someone else. Just enjoy reading all that stuff. 
  • hecked out: The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP) 
  • Was the Silk Road bust assisted by NSA? Maybe? Who knows. Where are the packet logs? - And story goes on: FBI's explanation
  • JSON Web Algorithms (JWA, JWS, JWE, JWK) - Standards for JSON encryption. - JSON Web TOkens (JWT)
  • Just my short thoughts: "transport sftp, ftp, sftp, RESTful, HTTPS and data sources xml json csv sql mongodb key value storage or any other. Data source is just data source and I'm sure I can deal with it." 
  • Devops Days Helsinki - Like I've written earlier DevOps aren't ultimate solution, because they lack set of other skills needed to sell, define, offer, build, maintain and support systems. 
  • This is exactly what I've been writing. Poor UI Design Can Kill
  • Just quoting some devops stuff: 'Perusideana on tuoda perinteisesti erillään olleet kehittäjät ja järjestelmien ylläpitäjät tiiviiseen yhteistyöhön. Kyse on isosta murroksesta, jonka ansiosta ohjelmistotuotannon vauhti kiihtyy, laatu paranee ja kustannukset laskevat. "Oleellista on ymmärtää, että devopsissa on kyse ennen kaikkea bisnesprosessista. Devopsin perimmäisenä ajatuksena on saada idea mahdollisimman tehokkaasti ja nopeasti tuotteeksi", Stordell kuvailee omaa näkemystään devopsin luonteesta. ' - Good question, all that high level blah blah. Does it really make any practical difference? What if the guys would be responsible for everything. Software developer everything from start to the very end.  
  • I like concept of chaos engineers. But what if everything is pure chaos even without them?
  • The laws of shitty dashboards - Just so true.
  • I were asked if I'm interested about distributed WebRTC utilizing HTML5 major project. Well, this time I weren't available. Yet the project sounded interesting. 
  • Open Data Finland (Avoindata in English)
  • Why is Google hurrying killing the SHA-1
  • A great post about Wifi beamforming
  • Some TLDs still don't support IPv6 one of those is .at TLD. Nor they do support DNSSEC. 
  • Great post The Art of Profitability
  • How handy e-receipt would be? Our tax authorities remind everyone to issue receipts.
  • Had interesting discussions with friends if database should contain all available information or only just required information. This is actually quite a good question. Because it depends from so many factors. In some cases it's really handy to have everything in database. But from the performance point of view, it's really bad of having everything in the database. Especially if whole record gets updated due to bad database engine. It can drastically add requirements for memory and disk I/O due to database size growth. 
  • More closed source solutions, Google deprecates OpenID 2.0 and forces users to use Google+.
  • Latest OpenID specifications
  • Finland is planning to strengthen national cyber warfare unit and preparedness for hybrid wars. 
  • Making sure crypto sayts insecure - Absolute must read article. This is how things are ruined behind the scenes and odds are set against you.
  • A great TED talk: Big data is better data by Kenneth Cukier

Not enough? See parts 1 and 2.